Re: BUG #14090: Some installations of Postgres 8 and 9 are configured to allow loading external scripting languages.

On Sat, Apr 16, 2016 at 4:38 AM, <soufiane(dot)boussali(at)efet(dot)ac(dot)ma> wrote:

> The following bug has been logged on the website:
>
> Bug reference: 14090
> Logged by: Soufiane Boussali
> Email address: soufiane(dot)boussali(at)efet(dot)ac(dot)ma
> PostgreSQL version: 9.5.2
> Operating system: Mac Os
> Description:
> ​[...]​
>
> Some installations of Postgres 8 and 9 are configured to allow
> loading external scripting languages.
> Most commonly this is Perl and Python. When enabled, command
> execution is possible on the host.
> To execute system commands, loading the "untrusted" version of the
> language is necessary.
> This requires a superuser. This is usually postgres. The execution
> should be platform-agnostic,
> and has been tested on OS X, Windows, and Linux.
>
> This module attempts to load Perl or Python to execute system
> commands. As this dynamically loads
> a scripting language to execute commands, it is not necessary to
> drop a file on the filesystem.
>

​That's why they are "untrusted"...and if being superuser is a requirement
then it isn't really an exploit now, is it?

For reference PostgreSQL version numbering requires two digits separate by
a period. Version 8 and version 9 are incomplete identifiers as they lack
the second digit. All versions beginning with 8 are also no longer
supported.

I could not follow the code so my only real guide for complaint/intent is
the description which I've quoted.

David J.
​